Dirty Pipe is one of the most serious Linux kernel vulnerabilities in recent years. The bug allows an unprivileged user to overwrite read-only data, which can result in privilege escalation. The bug was fixed on February 19, and for versions of Linux such as Unbuntu, a patch was written and released to end users in about 17 days. Android is based on Linux, so Google and Android manufacturers also need to fix the bug.
It’s been a whole month since the Linux desktop release, so how’s Android doing?
According to a timeline provided by Max Kellermann, the researcher who discovered the vulnerability, Google patched Dirty Pipe in the Android codebase on February 23rd. But the Android ecosystem is notoriously bad at delivering updated code to users. In a way, the slowness of Android helped with this vulnerability. The bug appeared in Linux 5.8, released in August 2020. So why hasn’t the bug spread far and wide across the Android ecosystem in the past two years?
Linux support in Android only jumped from 5.4 to 5.10 with the release of Android 12 six months ago, and Android phones don’t usually jump from major kernel versions. Only new phones get the latest kernel, and then they tend to use minor, long-term support updates until they are retired.
The slow rollout of the Android kernel means that the bug only affects new 2022 phones i.e. 5.10 kernel devices such as Google Pixel 6, Samsung Galaxy S22 and OnePlus 10 Pro. The vulnerability has already been turned into a working exploit with root privileges for the Pixel 6 and S22.
The company didn’t answer our (or other) questions about what happened with the patch, but it’s reasonable to expect the Pixel 6 to have the fix by now. This is a Google phone with a Google chip running Google OS, so the company should be able to roll out an update quickly. After the fix hit the codebase at the end of February, many third party ROMs such as GrapheneOS were able to integrate the fix in early March.
It looks like Samsung really got ahead of Google by issuing a patch. Samsung lists a fix for CVE-2022-0847 in its own security bulletin, indicating that the fix applies to the Galaxy S22. Samsung separates the vulnerabilities into Android bugs and Samsung bugs and reports that CVE-2022-0847 is contained in Google’s April Android security bulletin, although this is not true. Either Samsung opted for a fix and didn’t list it on their bulletin, or Google removed the fix from the Pixel 6 at the last minute.
The patch hit the Android source code repository 40 days ago. Now that the bug is public and available to everyone, it seems like Google needs to act faster to provide a fix.